Today's computer networks have no boundaries. Their perimeters started moving a few years ago as road warriors began carrying their laptops to sales or work sites, logging in for customer information or critical construction plans and other necessary resources. Next, they spread to the wireless and broadband networks in hotel, airports and Starbucks, as traveling executives and managers started logging in to read their e-mail or access year-end data for tomorrow's big meeting. Now, most office employees work, at least occasionally, from their home computers. People are logging in from all over the place using all sorts of devices - from laptops to PDA's to cell phones and even public kiosks; all accessing your confidential corporate data.

Ultimately, just like every other aspect of network and information security, this problem is best countered with a multi-layered and comprehensive assessment protection model, which provides a reliable degree of security where none used to exist. Aside from the obvious secure tunnel, the first layer must take place at the endpoint itself, which should have basic security (anti-virus, firewall and other malware protection) in place; and the second layer should occur at the gateway, which should include components that can reliably interrogate the endpoint to ensure this baseline security is in place before granting network access. Lastly, all of this hinges on another layer of protection, the network access and endpoint security policies themselves.

End point interrogation
SSL VPNs securely handle access on the basis of who's requesting access and from where. To some degree, SSL VPN vendors can test for things like the absence/presence of anti-virus and personal firewall software, the last time these were updated and whether they're from a trusted vendor. Most can also check things like OS type, OS version and patch level, browser version and patch level, SSL cipher-spec, and a host of other variables. To do this, however, takes VPN integration with a new and emerging group of products classified by market analysts as "Endpoint Security Policy Enforcement."

According to market research firm, Stratecast Partners, the ESPE market is immature and shifting, its outcome depending mostly on whether or not the two dominant stakeholders - Cisco and Microsoft - will develop products that can interoperate. Cisco's Network Access Control lags the marketplace, according to the report. And Microsoft's Network Access Protection, which is being built into Microsoft's new Vista and Longhorn Systems, hasn't even reached the market yet. Meanwhile, other vendors offering endpoint security policy enforcement have emerged, including Check Point's (Zone) Total Access Protection (TAP), ENDFORCE's Enterprise, InfoExpress' CyberGatekeeper, Senforce's Endpoint Security Suite, and Sygate/Symantec's Secure Enterprise.

The problem is, most of these vendors only support one or two anti-virus or personal firewall vendors and require custom code or pre-installed software on each device to get the most protection (or don't exist yet in the case of Microsoft and Cisco). So how could you run these tests against products that are not supported, which, in the case of the employee-owned device, could be any one of hundreds of security applications? In order to meet the real market demand, vendor products need to be able to take readings off all kinds of security products running on all types of devices and brands of operating systems-regardless of whether they are remote, wireless or local to the corporate network.

What do you enforce?
But just developing these policies takes a lot of planning and hard work. To get started, you must understand who accesses your network remotely and for what resources. Most of this can be done by watching network traffic, with follow up discussions with the business department leaders to understand their users' behaviors. This will let you know general information about what type of devices are requesting access (wireless mobile devices, static home PC's, etc.) and where they most commonly connect from. From that, you can start forming baseline policies around time and location-based access; and you can also dictate access policy for different types of devices.

There's no stopping remote access because we all know what a competitive advantage it has become to all forms of business. Hanging out with the sales teams and executives who travel non-stop, I know that the real necessity is being able to consistently and reliably allow them to have a VPN connection from hotels, customer networks and wireless hot-spots like those at Starbuck's and the airport concourse. To do that securely takes a lot of work at both the infrastructure and policy level, with ongoing education to the end users. If planned and executed right, remote access will continue to be a competitive advantage, without creating new security risks to the well-protected enterprise network.

About the Author:
Ken Salchow has been employed by F5 Networks, Inc. for the past five years where he has served in several capacities, currently as a security systems architect. In addition, he is the owner/operator of Binary Forensics, LLC ( www.b4n6.com ), a boutique computer forensics lab serving the legal community in criminal and civil litigation and Digital Interlopers, LLC, a boutique penetration and testing organization serving small/medium business entities. He currently lives in Minnesota and can be reached at k.salchow AT f5.com.

F5 Networks are exhibiting at Infosecurity Europe 2006 which is Europe's number one information Security Event. Now in its 11th year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 10,000 visitors from every segment of the industry. Held on the 25th - 27th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital GroupAdChoice